commit 2647eff0cfe45d69a290203b66f79d1a7f66fc09
Author: Jan Palus <[email protected]>
Date: Sun Jul 28 15:15:34 2024 +0200
luks: add basic support for waiting for fido2 token insertion
geninitrd.sysconfig | 3 +++
mod-luks.sh | 26 +++++++++++++++++++++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
---
diff --git a/geninitrd.sysconfig b/geninitrd.sysconfig
index 1268324..db80009 100644
--- a/geninitrd.sysconfig
+++ b/geninitrd.sysconfig
@@ -50,3 +50,6 @@ USE_UDEV=yes
# install firmware to initrd
#MODULE_qla2xxx_FIRMWARE="ql2300_fw.bin"
+
+# wait (in seconds) for FIDO2 token insertion when decrypting LUKS device
+# FIDO2_TOKEN_TIMEOUT=30
diff --git a/mod-luks.sh b/mod-luks.sh
index 54537ec..4d55908 100644
--- a/mod-luks.sh
+++ b/mod-luks.sh
@@ -117,7 +117,7 @@ luks_crypttab() {
local LUKSNAME="$1"
# copy from /etc/rc.d/init.d/cryptsetup
- local dst src key opt mode owner failsafe token libdir cryptdir
+ local dst src key opt mode owner failsafe token libdir cryptdir
fido2_token_found fido2_device fido2_token_timeout fido2_token_check
while read dst src key opt; do
[ "$dst" != "$LUKSNAME" ] && continue
@@ -170,6 +170,7 @@ luks_crypttab() {
if [ -e
$libdir/libpcsclite_real.so.1 ]; then
inst_exec
$libdir/libpcsclite_real.so.1 $libdir
fi
+ fido2_token_found=1
;;
systemd-tpm2)
inst_d $cryptdir
@@ -192,6 +193,9 @@ luks_crypttab() {
discard|allow-discards)
crypttab_opt="$crypttab_opt
--allow-discards"
;;
+ fido2-device=*)
+ fido2_device=${option#*=}
+ ;;
*)
warn "$dst: option \'$option\'
is unsupported for LUKS partitions, ignored"
;;
@@ -199,6 +203,26 @@ luks_crypttab() {
done
IFS="$old_IFS"
+ fido2_token_timeout=${FIDO2_TOKEN_TIMEOUT:-30}
+
+ if [ -n "$fido2_token_found" ] && [
$fido2_token_timeout -gt 0 ]; then
+ if [ ${fido2_device:-auto} = "auto" ]; then
+ inst_exec /usr/bin/fido2-token /bin
+ fido2_token_check='[ -z
"$(/bin/fido2-token -L 2>/dev/null)" ]'
+ else
+ fido2_token_check="[ ! -e
\"$fido2_device\" ]"
+ fi
+ add_linuxrc <<-EOF
+ if $fido2_token_check; then
+ echo '<5>Waiting for FIDO2 token' >
/dev/kmsg
+ i=0
+ while $fido2_token_check && [ \$i -lt
$fido2_token_timeout ]; do
+ usleep 1000000
+ i=\$((i + 1))
+ done
+ fi
+ EOF
+ fi
verbose "+ cryptsetup ${keyfile:+-d $keyfile} open
$crypttab_opt '$src' '$dst'"
add_linuxrc <<-EOF
debugshell
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/projects/geninitrd.git/commitdiff/2647eff0cfe45d69a290203b66f79d1a7f66fc09
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
